VaultGemma is a 1-billion-parameter large language model based on Gemma 2, trained entirely from scratch by Google using differential privacy (DP) to prevent the model from memorizing and reproducing training data. Though still in the research phase, VaultGemma holds potential for deployment in regulated fields such as healthcare, finance, and legal services.

Differential privacy is a mathematical framework designed to release statistical insights from datasets without exposing individual data points. This is typically achieved by introducing calibrated noise into the training process, making it more difficult to infer specific details of any individual sample while preserving overall statistical accuracy.

A critical assumption behind this approach is that the privacy-preserving noise added must be significantly greater than the inherent randomness in the original data. This requirement increases the batch size—the set of samples fed to the model during training—leading to higher computational demands.

In the context of large language models, differential privacy ensures that the model’s output is statistically indistinguishable from what would be obtained if trained on a dataset that excludes any particular individual sample. As a result, an adversary cannot confidently determine whether a specific data point was part of the training set.

While differential privacy offers rigorous and quantifiable privacy guarantees, it comes at a cost. The added noise can degrade model accuracy and increase training complexity. Google’s research focuses specifically on this trade-off, aiming to uncover the scaling laws for DP models—in other words, identifying the optimal training configurations that minimize performance loss under a given privacy guarantee and computational budget.

We leveraged scaling laws to determine the required computational resources for training a computationally optimal 1-billion-parameter Gemma 2-based DP model, and how best to allocate these resources across batch size, number of training steps, and sequence length to maximize utility.

In addition, Google researchers introduced a novel training algorithm utilizing Poisson sampling instead of uniform batching, aiming to reduce the amount of noise required to achieve the desired level of privacy protection.

VaultGemma was benchmarked against non-private, non-DP models such as Gemma 3 1B and GPT-2 1.5B. The results showed performance comparable to GPT-2 across several evaluation metrics, including HellaSwag, BoolQ, PIQA, SocialIQA, TriviaQA, and ARC-C/E. These comparisons offer a relatively objective measure of the performance cost associated with differential privacy.

The weights for VaultGemma are publicly available on Hugging Face and Kaggle, subject to Google’s terms of use.

Although VaultGemma is not the first attempt at applying differential privacy to large language models, Google researchers claim it is the largest of its kind to date. Previously, differential privacy has primarily been applied to fine-tuning stages of large language models to prevent the exposure of user-specific data.